A key takeaway from SBI’s call for applications for ‘Data Protection Officer’

State Bank of India, in my knowledge, is one of the first Indian Bankers to announce positions for the “Data Protection Officer”.  

I am considering this as a good  sign that the Bank has recognized the need for an exclusive officer. But with the Personal Data Protection Bill is still in consideration the call for applications for the positions might be driven more by the international demand from their foreign branches which should have received notices from some supervisory authorities of foreign jurisdictions but it could also be a slight of realization that data protection is a necessity of business.

The educational qualification required for the post are as following:

• Graduation or its equivalent
• Preferred Professional Certification:
• Certified EU GDPR Foundation,
• CIPP (Certified Information Privacy Professional),
• CIPT (Certified Information Privacy Technologist),
• CIPM (Certified Information Privacy Manager) etc

Post qualification work experience required is

• Minimum 15 years’ post qualification work experience (as on 01.04.2020) as  executive/ Supervisor in Corporate Sector out of which at least  10 years’ experience should be in BFSI Sector.
• Preferred: Experience in Data Privacy Laws & Regulations and other Data Security areas with associated IT skills.
• The age restriction is 55 years and the appointment is a contractual for 2 years.

The requirement of following special skills have been specified

• High level specialist knowledge in the General Data Privacy Regulation underpinned by theory and experience
• Evidence of continuing professional and/ or personal self- development.
• Expert knowledge of data privacy laws and practices.
• Exposure to Data Privacy laws & regulations such as General Data Protection Regulation “GDPR”), UK Data Protection Act 1998 etc.
• Knowledge of Information life-cycle, risk management & data security areas.
•  Extensive knowledge of Information Governance disciplines.
• Skill of interpretation of national guidance and legislation and subsequent local implementation.
• Flair for managing staff and implementing budgets. Training Delivery.
• Capacity to work with cross functional teams, attention to detail, organizational skills and multitasking.
• Strong management, motivational & leadership skills with ability to drive large change management programs within organizations.
•  Ability to maintain confidentiality and deal with situations in a sensitive manner.
• Ability to communicate across all organizational boundaries in an appropriate manner.

Key Takeaway

The job description and specified qualifications, not at all mention about knowledge of the Indian data protection law either on the basis of the Information Technology Act 2000 or (Amendment) 2008 or on the basis of the proposed Data Protection Bill.

The usage of “etc” at various places may include the knowledge of such laws and may be taken into consideration when candidates are screened.

Overall, such announcement indicates that soon other Banks will also start considering these positions shortly and start opening opportunities for “Data Protection Professionals”.

DECODING THE STANDARD CLAUSES OF GDPR- (1)

It is now more than six months with the General Data Protection Regulations (GDPR) in effect now and still many SMEs are inquisitive about it like it is something which is yet to be enforced in the coming time. No doubt, that why GDPR getting so much attention in the global market. It is the globalization of market and integration of it with the internet that makes GDPR a big deal, despite its being the framework of standard regulations that are to be applied in European Union only. GDPR includes some very basic elements that can potentially be the standard data protection law across the globe. Therefore, before discussing its sector-wise impact it is very important to know the obligations and rights of key stakeholders, that deal with personal data, under the GDPR.

It is very important to understand that the GDPR is prescriptive in nature in light of the debate around its being strict and harsh to SMEs. GDPR is prescriptive means that it is basically prescribing the best practices that are needed to be followed by drafting of the privacy policy by businesses of Europe. GDPR is prescriptive on the need for contracts which governs the sharing of personal data of EU citizens in the following three brackets:

1. Data Sharing between Co-controllers;
2. Processors appointed by Controllers;
3. Sub-Processors appointed by Processors. (Data Centres or any kind of support behind the vendor).

______________________________________________________________________

NOTE: Before describing anything related to standard clauses under GDPR, it is important to understand the basic meanings of certain terms and then understand their usage in this article based on the meanings as follows:

Data-Subject refers to an individual person or a natural person identified, directly or indirectly, through an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity. In other words, a data subject is an end user whose personal data can be collected.

Data-Controller, according to the GDPR, is defined as a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.” For example, a business obtaining customer or employee details, or a school, college or university holding student records.)

The role of a data controller is to determine who shall be responsible for compliance with data protection rules and how data subjects can exercise their rights. Putting it simply, they are the manager of personal data, they instruct the processor. The data controller will decide the purpose for which personal data is required and what personal data is necessary to fulfill that purpose.

A data controller will act on their own autonomy. A party constrained in how they can handle personal data is less likely to be a data controller but could be a data processor.

GDPR defines a Data-Processor as:

“a natural or legal person that processes personal data on behalf of the data controller.”

A data processor would be a separate business entity (whether a company, partnership or a sole trader) serving the interests and carrying out the instructions of the data controller in its processing of the personal data.

The role of a data processor could include storing data, retrieving data, running the payroll for business, carrying out marketing activities, or providing security for data.

 

PRACTICAL SCENARIO:

X Limited has entered into a contract with Y Limited, providing clear instruction to X Ltd. to send an email, advertising their new range of products.

They provide Y Ltd. with an email template and a spreadsheet of personal email addresses (all obtained with valid GDPR consent).

X Ltd. outline the spreadsheet is only to be used for the purpose of sending this advertising email.

Y Ltd. is bound by instructions of X Ltd.

In this scenario, Y Ltd. is a data processor and X Ltd. is the data controller

 ______________________________________________________________________

Knowing obligations and rights of Controllers

Out there in the practical life, in European Union, vendors/sellers/suppliers are pushing out for the standard contracts that comply with the GDPR as now all the commercial negotiations related to data sharing is now governed by it and EU controllers are very much concerned about managing risks. As the marketplace is very nascent, guidance and enforcement are much needed. Therefore, it is further important to identify and categorize whom one can share data with/ receive data from, determine GDPR processor obligation and ensure the stability of internal processes. Another thing to know GDPR in its true essence is that the contracts are just a wider part of the GDPR compliance but not the whole GDPR by any means.

Article 5 of the GDPR presents the big picture explaining the core principles behind the standard provisions relating to the protection of personal data as follows:

• Data must be processed lawfully and fairly in a transparent manner and this should be the primary concern of the controller. This principle is the reminder of the significant issues which a stakeholder must provide clearly in the contracts in order to specify responsibilities, process, and liabilities.
• Data Minimisation must be the essence of every privacy policy. In a simplistic manner, it means that the personal data should be processed to the minimum level that is necessary.
• Data must be accurate and must be kept updated. It is one of the clauses which provide a course of the way for the implementation of the right to be forgotten in terms of data collection; as the principle requires that out-of-date should be deleted or changed as quickly as possible.
• Storage limitation should be there in order to limit the duration of identification of the data and source subjected to certain restrictions.
• Security and Integrity of Data provided with an obligation to prevent unauthorized access or control of data by using efficient ethical, technical and organizational methods. The phrase ‘integrity and confidentiality’ is present at multiple places in GDPR and it is there to remind the stakeholders that what has been expected from their data-protection policy.
• The principle of accountability puts it straight that in GDPR a stakeholder in supposed to only comply with the regulations, but the stakeholder has to demonstrate it. Therefore, accountability should be visible explicitly in every contract of the privacy policy.
• There is another principle which is not present in text of Article 5 but has been provided under GDPR through its Article 25 and that is the concept of data-privacy by design and default and the theme behind it is that a stakeholder has to embed the concept of privacy in every word of its privacy policy which deals with the personal data of EU citizens and hence the contract should highlight it as well.

As the principles are known now, one can move forward to understand the letter and spirit of the law that GDPR is enforcing as following:

The GDPR has the specific requirement in terms of the joint controllers or controller-processor/sub-processor arrangements. According to Article 26 of the GDPR, the joint controller relationship is the relationship in which two or more controllers jointly determine purposes and means of processing data. Article 26 requires the joint controllers to identify their compliance responsibilities and the GDPR needs that the data-subject should be aware of these compliances. Therefore, stakeholders have to incorporate the compliances in contracts and policies clearly. The rights and duties in the arrangement with respect to the data-subject must clearly delineate that whose will be liable in the arrangement when data-subject will exercise his/her rights.

Knowing obligations and rights of Processors

The controllers are further obliged to appoint only those Processors that provide them with the guarantee to implement appropriate technical and organizational measures in order to meet the requirements of the GDPR. This means that the controller should undertake a proper due diligence process before the appointment of the Processor. Although GDPR has not prescribed this as the mandatory explicit contractual requirement, but it is always better to cover off the risks by documenting the status in written form especially anything related to the Processor under Article 28 of the GDPR to demonstrate the accountability in commercial contracts. For the purposes of Processors, GDPR has highly specific requirements that should be present in a contract as following:

1. The subject-matter of the processing;
2. The duration of the processing;
3. The purpose of the processing;
4. Type of personal data being processed;
5. The categories of data subject;
6. The obligations and rights of the controller.

Therefore, it means that data processing activities should be laid out in detail that is contracted out to the processor. And even that is also not enough as there are the number of obligations on the processor under Chapter 4 of the GDPR requiring to process data according to the specific instructions of the Controller that are documented in the contract. Again a point to note is that GDPR doesn’t mandate it for stakeholder to cover all such instructions in an initial contract but it is suggested by most of the policy drafters that a stakeholder should include basic instructions for example that who are authorized to give them, to whom do they need to be sent and how quickly they need to be acted on.

The GDPR singles out data transfers in particular as an issue on which a Data Controller must contractually agree to adhere to the instructions of the Controller. Appropriate Confidentiality agreement in respect of persons authorised to process personal data need to be included. The processor has to comply with the security obligations under Article 32 of the GDPR. The Processor also has to comply with the deletion or return requests by the Controller at the end of the contract. It is the first time in EU law that Data Processor will have the direct liability to Data Subjects in relation to certain GDPR data-breaches. As a result, all the parties that are involved in the framework of data collection, processing and sharing have the greater interest in ensuring contractual liability dealt in the way it is most advantageous to them.

Knowing obligations and rights of Sub-Processors

Finally, it is worth mentioning about Sub-Processor also as the GDPR provides in detail about the authorisation regarding appointment of sub-processor under Article 28(4). A Processor cannot appoint the sub-processor without prior specific or general written authorisation from the controller. The controller gives the general written authorisation to the processor and it has to update the controller about any intended changes in the instructions delivered to sub-processor and further give controller the opportunity to object it. It is needed in the contract that a controller should provide specifically discuss that how the notification and approval processes will work under general authorisation. The Processor has to include same obligations for sub-processor that apply on him under the contract with the Controller. Under the GDPR, it is the processor who remains liable to the Controller for data-breaches making the allocation of liability a vital requirement.

GDPR compliance is about more than just complying with a letter of the law and regulators are going to be looking at whether the stakeholder is complying with the spirit of the law.

In order to ensure the compliance, the controller needs to ensure flow down in contracts where the controller should have the obligation which a processor or sub-processor will assist with and the contract must delineate these obligations. The ICO draft guidelines provide a well-developed checklist to ensure the proper drafting of a clause related to the controllers’ obligation.

 

The next blog in the GDPR series will deal with the provisions of GDPR that provides with some specific instructions related to drafting of the privacy policies and private-contracts.

Following are suggested read to understand the technicalities of obligations and rights of data-subjects, Controllers and Processors in an elaborative manner:

https://www.porterdodson.co.uk/blog/gdpr-who-is-the-data-controller-who-is-the-data-processor-and-what-is-the-lawful-basis

https://www.wsiworld.com/blog/responsibilities-of-a-controller-processor-and-data-protection-officer-according-to-gdpr/

https://www.dporganizer.com/gdpr-data-controller-vs-processor/

https://termsfeed.com/blog/gdpr-data-controller-vs-processor/

 

To read the GDPR Regulations, click here.

The Road to GDPR: Historical Context behind the European Data-Protection Laws

Since the last few months, internet users are receiving hundreds of emails or pop-ups from different websites regarding the frequent updates in their privacy policies. It is a formal process that most of the Europe based firms and service providers are completing, in order to become compliant with the most-debated General Data Protection Regulations (GDPR). It was on 25^th May 2018, that the European Union’s GDPR came into force, providing significant upgrades to the E.U. data protection regulatory framework. It is a regulatory policy enhancement over the EU Directives 95/46/EC on Data Protection, adopted 20 years ago, which was centered on the protection of personal data of individuals in the era of early users of Internet that were engaged in processing and free movement of such data situated in various cyber-cafes. The directives later became the in-hand limitations that directed the internet service providers with a procedure that is to be adopted before handling data-processing of personal information of users. After 20 years, the Internet is ubiquitous in our lives as its application is prevalent around us everywhere. Therefore, recent GDPR requirements are going to massively impact the data-usage practices of both the consumers and the companies.

GDPR is a very much talked about topic these days as there is a lot of confusion surrounding that what is covered by GDPR and what not. The debate on the acceptance of GDPR became more heated as a string of Small and Medium Enterprises withdrawn from the EU market or shut down operations entirely in order to avoid the hefty costs of compliance. Such events itself tells that the GDPR is a strict law. GDPR is a far-reaching and multifaceted regulation, requiring the companies to provide significant control to consumers over their personal-data including establishing new rights for the individual (right of data portability, right to be forgotten, data localisation etc.). Another stringent check on companies is the debated-introduction of fines up to €20 million or 4 percent of the company’s turnover in case of breach of data-privacy by the company. Unarguably this makes EU a regulatory superpower, leading the pack of stricter regulations, on data-protection. Why EU is so adamant to afford such stricter regulations that can break up the global internet into regional or national chunks? The seriousness of the penalties reflects a European approach to privacy that can be traced back, in large part, to the history of its members’ experiences with personal data being used for certainly wrong purposes. To have a clear focus on GDPR and European approach to data protection, it is important to explore the dark past related to data protection in Europe.

The causes for adopting a very strict approach can be traced back to the Europe of World War II era, during which the Nazis in Germany consistently abused private data and personal information in order to create profiles of citizens and identify Jews and other minority groups. During the Nazi regime, the state’s control of market brought with it control of information technology as well. The access to such information-data also provided a door to the census information that indicated residents’ nationalities, native languages, religion, and profession. The punch cards that were used to feed in this information are the early data processors known as Hollerith machines, allegedly manufactured by IBM’s German subsidiary at the time Deutsche Hollerith Maschinen GmbH (Dehomag), as also mentioned in the book titled IBM and the Holocaust: The Strategic Alliance between Nazi Germany and America’s most powerful Corporation. The use of census data to create a database of personal profiles according to which a broad level of discriminatory policies can be imposed- is a disturbing fact related to dark past of free movement of data.

Exploitation of private data didn’t end in Germany with the WWII coming to the end, but it was continued in the East German state as to keep in track the pro-Nazi agenda and later, in cold war era, spies of West German states. This was the first kind of mass surveillance by any state in the history through screening of private communications, periodical searching of houses, etc. The state kept the details of each and every personal data in their database from people’s friends to their sexual habits. Stasi, East German secret police force became most famous due to carrying out of such practices. As the Stasi started cross-border surveillance, in response, in 1970 West Germany approved what’s considered the country’s first modern data privacy legal framework concerning public sector data in the West German state of Hesse. This was followed by a 1977 Federal Data Protection Act designed to protect resident “against abuse in their storage, transmission, modification, and deletion.” West Europe’s push on privacy-related matters rendered the right to privacy a legal imperative in the Data Protection Convention (Treaty 108), as adopted by the Council of Europe.

Such concerns related to the exploitation of census data led to a landmark German Federal Constitutional Court’s judgment that the right of “self-determination over personal data” is a fundamental right. Later, this became the cornerstone of the EU’s view today. With the wave of European countries debating on the issue of the importance of personal information-data of citizens, the first data protection legislation was introduced into the Irish domestic law was the Data Protection Act of 1988, along with many commonwealth countries adopting such comprehensive legislation into their domestic law. The end of Cold War coincided with the rise in data transfers throughout Europe in the ‘90s. This is how migrating market throughout the European continent became a threat to the personal data of citizens of individual European states. Therefore, in order to establish a single market EU also included a 1995 E.U. data protection regulation, and cautious attitudes about privacy became a European norm. The European Data Protection Directive is created, reflecting technological advances and introducing new terms including processing, sensitive personal data, and consent, among others.

The 1995 Directive was implemented as EU further adopted the Directive on Privacy and Electronic Communications in 2002. In 2006, the EU Directive on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks is adopted. Although it was declared invalid by a Court of Justice ruling in 2014 for violating fundamental rights. By 2009, the EU Electronic Communications Regulations in response to email addresses and mobile numbers evolved as becoming prime currency in conducting marketing and sales campaigns. Perhaps most famously, in 2014 Europe’s top court, the Court of Justice of the European Union, affirmed the so-called right to be forgotten and ruled that Google has to abide by user requests to take down “data that appear to be inadequate, irrelevant or no longer relevant” — and since then, Google has received 655,000 requests to remove about 2.5 million links, and complied with 43.3% of those requests. (Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (es), Mario Costeja González, ECLI:EU:C:2014:317)

Given such a complex historical backdrop, the European data-protection legislations are intuitively more appealing and less subject to resistance. Europe has been always the most active regime in terms of enactments related to protections on privacy that tend to apply all sectors of the economy. To this legacy, GDPR is just a significant upgrade to that 1995 law. In the light of Cambridge Analytica’s Facebook data breach and the Equifax hack, such upgrade is being considered as a step that will reinforce consumer confidence with an assurance of protection of their personal data. Other regulations will require an update in alignment with GDPR, such as the ePrivacy Directive and Regulation 45/2001, which applies to the EU institutions when they process personal data. Member states are entitled to provide specific rules or derogations to the GDPR, where freedom of expression and information is concerned, or in the context of employment law or the preservation of scientific or historical research.